| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Tue, 4 Aug 2015 17:51:59 +0200
From: Frederic Weisbecker <fweisbec@...il.com>
To: Andy Lutomirski <luto@...nel.org>
Cc: Peter Zijlstra <peterz@...radead.org>,
linux-kernel@...r.kernel.org, Brian Gerst <brgerst@...il.com>,
Steven Rostedt <rostedt@...dmis.org>,
Borislav Petkov <bp@...en8.de>,
Thomas Gleixner <tglx@...utronix.de>,
Linus Torvalds <torvalds@...ux-foundation.org>,
X86 ML <x86@...nel.org>,
Masami Hiramatsu <masami.hiramatsu.pt@...achi.com>
Subject: Re: [PATCH 1/3] x86/perf/hw_breakpoint: Disallow kernel breakpoints
unless kprobe-safe
On Thu, Jul 30, 2015 at 08:32:40PM -0700, Andy Lutomirski wrote:
> Code on the kprobe blacklist doesn't want unexpected int3
> exceptions. It probably doesn't want unexpected debug exceptions
> either. Be safe: disallow breakpoints in nokprobes code.
>
> On non-CONFIG_KPROBES kernels, there is no kprobe blacklist. In
> that case, disallow kernel breakpoints entirely.
>
> It will be particularly important to keep hw breakpoints out of the
> entry and NMI code once we move debug exceptions off the IST stack.
>
> Signed-off-by: Andy Lutomirski <luto@...nel.org>
> ---
> arch/x86/kernel/hw_breakpoint.c | 15 +++++++++++++++
> include/linux/kprobes.h | 2 ++
> kernel/kprobes.c | 2 +-
> 3 files changed, 18 insertions(+), 1 deletion(-)
>
> diff --git a/arch/x86/kernel/hw_breakpoint.c b/arch/x86/kernel/hw_breakpoint.c
> index 7114ba220fd4..78f3e90c5659 100644
> --- a/arch/x86/kernel/hw_breakpoint.c
> +++ b/arch/x86/kernel/hw_breakpoint.c
> @@ -32,6 +32,7 @@
> #include <linux/irqflags.h>
> #include <linux/notifier.h>
> #include <linux/kallsyms.h>
> +#include <linux/kprobes.h>
> #include <linux/percpu.h>
> #include <linux/kdebug.h>
> #include <linux/kernel.h>
> @@ -243,6 +244,20 @@ static int arch_build_bp_info(struct perf_event *bp)
> info->type = X86_BREAKPOINT_RW;
> break;
> case HW_BREAKPOINT_X:
> + /*
> + * We don't allow kernel breakpoints in places that are not
> + * acceptable for kprobes. On non-kprobes kernels, we don't
> + * allow kernel breakpoints at all.
> + */
> + if (bp->attr.bp_addr >= TASK_SIZE_MAX) {
> +#ifdef CONFIG_KPROBES
> + if (within_kprobe_blacklist(bp->attr.bp_addr))
> + return -EINVAL;
> +#else
> + return -EINVAL;
> +#endif
> + }
> +
It should be done on generic code I think. In validate_hw_breakpoint()
under the arch_check_bp_in_kernelspace() check.
> info->type = X86_BREAKPOINT_EXECUTE;
> /*
> * x86 inst breakpoints need to have a specific undefined len.
> diff --git a/include/linux/kprobes.h b/include/linux/kprobes.h
> index 1ab54754a86d..8f6849084248 100644
> --- a/include/linux/kprobes.h
> +++ b/include/linux/kprobes.h
> @@ -267,6 +267,8 @@ extern void show_registers(struct pt_regs *regs);
> extern void kprobes_inc_nmissed_count(struct kprobe *p);
> extern bool arch_within_kprobe_blacklist(unsigned long addr);
>
> +extern bool within_kprobe_blacklist(unsigned long addr);
The name was fine for a kprobe's private function. But if you make
it public, maybe standardize the prefix like kprobes_within_blacklist().
Thanks.
--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@...r.kernel.org
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/
Powered by blists - more mailing lists